* Change detection for prefixes and routes triggering resending of RAs and DHCPv6-Reconfigure

+

* Detection of client hostnames and export as augmented hosts-file

+

* Support for RA & DHCPv6-relaying and NDP-proxying to e.g. support uplinks without prefix delegation

+

+

+

+

==== Compliance ====

+

Our aim is to follow [[http://​tools.ietf.org/​html/​rfc7084|RFC 7084]] where possible.

+

Nevertheless compliance has not been verified yet. Please notify us if you find any standard violations.

+

+

+

The following requirements of [[http://​tools.ietf.org/​html/​rfc7084|RFC 7084]] are currently known not to be met.

+

* [[http://​tools.ietf.org/​html/​rfc7084|RFC 7084]] WAA-5 (SHOULD-requirement):​ The NTP-Server is requested and received but currently not processed or used.

+

+

+

===== Upstream configuration for WAN-Interfaces =====

+

The following sections describe the configuration of IPv6 connections to your ISP or an upstream router. Please note that most tunneling mechanisms like 6in4, 6rd and 6to4 may not work behind a NAT-router.

+

+

+

+

==== Native IPv6 connection ====

+

For an uplink with native IPv6-connectivity you can use the following example configuration. It will work both for uplinks supporting DHCPv6 with Prefix Delegation and those that don't support DHCPv6-PD or DHCPv6 at all (SLAAC-only).

+

+

+

/​etc/​config/​network

+

<​code>​

+

config interface wan

+

option ipv6 1 # only required for PPP-based protocols

+

...

+

+

config interface wan6

+

option ifname ​ eth1 # use same ifname as in wan-section or "​@wan"​

+

option proto dhcpv6

+

+

config interface lan

+

option proto static

+

option ip6assign 60

+

...

+

</​code>​

+

+

:!: The package ''​odhcp6c''​ must be installed to use dhcpv6. See [[doc/​uci/​network#​protocol.dhcpv6]] for advanced configuration options.

+

+

+

==== Static IPv6 connection ====

+

Static configuration of the IPv6 uplink is supported as well. The following example demonstrates this.

In a typical tunnel configuration (e.g. HEnet) you get two different ipv6 addresses/​prefixes from the tunnel provider:

+

* **ip6addr**:​ The tunnel endpoint address is like '​2001:​DB8:​2222:​EFGH::​2/​64'​. This ...::2 address is only used for the tunnel interface endpoint. It is not a routable address and it can't be used for anything else than connecting to the other end of the tunnel, typically ...::1

+

* **ip6prefix**:​ The tunnel provider gives you also a routable prefix, typically either /48 or /64, for example '​2001:​DB8:​1112::/​48'​ or '​2001:​DB8:​1234:​ABCD::/​64'​. Your LAN clients will get addresses from that prefix. (See advice later in this article: [[doc/​uci/​network6#​router_advertisement_dhcpv6]])

+

+

:!: If your tunnel provider gives you a routable /48, /56 or /60 prefix, use that (instead of the /64), as a wider prefix will allow you to properly pass routable /64 prefixes to several networks (lan, guest, ...).

+

+

:!: If you choose a name for your tunnel-interface that is different from '​wan6'​ make sure to add that name to the network-option of the firewall-zone '​wan'​ in /​etc/​config/​firewall.

+

+

:!: The package ''​6in4''​ must be installed to use 6in4-tunnels. See [[doc/​uci/​network#​protocol.6in4.ipv6-in-ipv4.tunnel]] for advanced configuration options.

+

+

:!: Note that HE.net assigns an "​updatekey"​ by default for new tunnels since February 2014. If updatekey exists (visible in tunnel'​s advanced info page at the he.net site), it needs to be used instead of the password. Support for that option has been introduced in Openwrt trunk by r39646. Old tunnels without updatekey will continue to work with password.

+

+

:!: To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza:

+

+

|''​config rule

+

option src wan

+

option proto 41

+

option target ​ ​ACCEPT

+

''​|

+

==== 6rd tunnel (ISP-provided IPv6 transition) ====

+

6rd is a tunnelmechanism based on 6to4. Unlike other tunneling mechanisms 6rd is usually provided by the ISP itself. The values for the tunnel are usually obtained with the DHCPv4 request for the WAN interface.

+

+

:!: In Chaos Calmer and later the configuration is usually auto-detected and manual configuration is not needed, simply installing the 6rd package (and rebooting) is usually enough.

+

+

/​etc/​config/​network:​

+

<​code>​

+

config interface '​wan'​

+

option ifname '​eth0.2'​

+

option proto '​dhcp'​

+

​

+

# The following two lines are only needed in Barrier Breaker

+

option iface6rd wan_6rd

+

option zone6rd wan

+

</​code>​

+

+

To debug 6rd via DHCP, first check if the parameters are sent. Create a /​etc/​udhcpc.user with the following content:

+

+

<​code>​

+

#!/bin/sh

+

env >> /​tmp/​udhcpc.log

+

</​code>​

+

+

Reboot the router and check the log file for the following line:

+

+

<​code>​

+

ip6rd=16 40 2001:​0838:​ad00:​0000:​0000:​0000:​0000:​0000 77.174.0.2

+

</​code>​

+

+

+

If this line isn't present, you need to obtain the correct values for peeraddr, ip6prefix, ip6prefixlen and ip4prefixlen from your ISP. The above ip6rd or the obtained values can be used to hardcode the 6RD tunnel. Remove or comment out the iface6rd line in the wan section.

+

+

/​etc/​config/​network:​

+

<​code>​

+

config interface '​wan6'​

+

option proto '​6rd'​

+

option peeraddr '​77.174.0.2'​

+

option ip6prefix '​2001:​838:​ad00::'​

+

option ip6prefixlen '​40'​

+

option ip4prefixlen '​16'​

+

</​code>​

+

+

:!: In Chaos Calmer the default /​etc/​config/​network works after installing the 6rd package. The mentioned dhcpv6 is ignored if it doesn'​t succeed. The above configuration for Barrier Breaker works also in later variants and may be less confusing.

+

+

:!: If you choose a name for your tunnel-interface that is different from '​wan6'​ make sure to add that name to the network-option of the firewall-zone '​wan'​ in /​etc/​config/​firewall.

+

+

:!: The package ''​6rd''​ must be installed to use 6rd-tunnels. See [[doc/​uci/​network#​protocol_6rd_ipv6_rapid_deployment]] for advanved configuration options.

+

+

==== 6pe, L2TP tunnel, softwire (ISP-provided IPv6 transition) ====

+

+

This is another transitional mechanism for IPv6, used by some ISPs. It relies on a L2TPv2 tunnel.

+

+

Detailed configuration:​ [[doc/​howto/​ipv6.softwire]]

+

+

==== 6to4 tunnel ====

+

6to4 is the simplest IPv6 tunneling mechanism and relies on publicly available gateways.

+

+

+

/​etc/​config/​network:​

+

<​code>​

+

config '​interface'​ '​wan6'​

+

option '​proto'​ '​6to4'​

+

+

config '​interface'​ '​lan'​

+

option '​proto'​ '​static'​

+

option ip6assign 60

+

...

+

</​code>​

+

+

+

:!: If you choose a name for your tunnel-interface that is different from '​wan6'​ make sure to add that name to the network-option of the firewall-zone '​wan'​ in /​etc/​config/​firewall.

+

+

:!: The package ''​6to4''​ must be installed to use 6to4-tunnels. See [[doc/​uci/​network#​protocol.6to4.ipv6-in-ipv4.tunnel]] for advanved configuration options.

+

+

+

==== Dual-Stack Lite tunnel (ds-lite IPv4 in IPv6) ====

+

ds-lite is a transitioning-mechanism which is used by ISPs to support legacy IPv4-connectivity over a native IPv6 connection.

+

+

:!: In Chaos Calmer and later the configuration is usually auto-detected and manual configuration is not needed, simply installing the ds-lite package (and rebooting) is usually enough.

+

+

/​etc/​config/​network:​

+

<​code>​

+

config '​interface'​ '​wan6'​

+

option '​ifname'​ '​eth1'​

+

option '​proto'​ '​dhcpv6'​

+

+

config '​interface'​ '​wan'​

+

option '​proto'​ '​dslite'​

+

option '​peeraddr'​ '​2001:​db80::​1'​ # Your ISP's DS-Lite AFTR

+

</​code>​

+

+

:!: If you choose a name for your tunnel-interface that is different from '​wan'​ make sure to add that name to the network-option of the firewall-zone '​wan'​ in /​etc/​config/​firewall.

+

+

:!: The package ''​ds-lite''​ must be installed to use ds-lite-tunnels. See [[doc/​uci/​network#​protocol.dslite.dual-stack.lite]] for advanved configuration options.

+

+

+

+

===== Downstream configuration for LAN-Interfaces =====

+

+

OpenWrt includes a flexible local prefix delegation mechanism.

+

It can be tuned for each downstream-interface individually with 3 parameters which are all optional:

+

* ''​ip6assign'':​ Prefix size used for assigned prefix to the interface (e.g. 64 will assign /​64-prefixes)

+

* ''​ip6hint'':​ Subprefix ID to be used if available (e.g. 1234 with an ip6assign of 64 will assign prefixes of the form ...:​1234::/​64)

+

* ''​ip6class'':​ Filter for prefix classes to accept on this interface (e.g. wan6 will only assign prefixes with class "​wan6"​ but not e.g. "​local"​)

+

+

+

ip6assign and / or ip6hint-settings might be ignored if the desired subprefix cannot be assigned. In this case OpenWrt will first try to assign a prefix with the same length but different subprefix-ID.

+

If this fails as well the prefix length is reduced until the assignment can be satisfied. If ip6hint is not set an arbitrary ID will be chosen. Setting the ip6assign-parameter to a value < 64 will allow the DHCPv6-server to hand out all but the first /64 via DHCPv6-Prefix Delegation to downstream routers on the interface. If the ip6hint is not suitable for the given ip6assign it will be rounded down to the nearest possible value.

+

+

If ip6class is not set then all prefix classes are accepted on this interface. The default class for a prefix is the interface-name (e.g. "​wan6"​) or "​local"​ for the ULA-prefix.

+

This can be used to select upstream interfaces from which subprefixes are assigned. For prefixes received from dynamic-configuration methods like DHCPv6 it is possible that the prefix-class

+

is not equal to the source-interface but e.g. augmented with an ISP-provided numeric prefix class-value.

+

+

+

Example (/​etc/​config/​network):​

+

<​code>​

+

config globals globals

+

option ula_prefix fd00:​db80::/​48

+

+

config interface wan6

+

option proto static

+

option ip6prefix 2001:​db80::/​56

+

...

+

+

config interface lan

+

option proto static

+

option ip6assign 60

+

option ip6hint 10

+

...

+

+

config interface guest

+

option proto static

+

option ip6assign 64

+

option ip6hint abcd

+

list ip6class wan6

+

...

+

</​code>​

+

+

The results of that configuration would be:

+

+

* The ''​lan''​ interface will be assigned the prefixes 2001:​db80:​0:​10::/​60 and fd00:​db80:​0:​10::/​60.

+

* The DHCPv6-server can offer both prefixes except 2001:​db80:​0:​10::/​64 and fd00:​db80:​0:​10::/​64 to downstream routers on ''​lan''​ via DHCPv6-PD.

+

* The ''​guest''​ interface will only get assinged the prefix 2001:​db80:​0:​abcd::/​64 due to the class filter.

+

+

+

===== Router Advertisement & DHCPv6 =====

+

+

OpenWrt features a versatile RA & DHCPv6 server and relay. Per default SLAAC, stateless and stateful DHCPv6 are enabled on an interface. If there are prefix of size /64 or greater present then addresses will be handed out from each prefix. If all prefixes on an interface have a size greater /64 then DHCPv6-Prefix Delegation is enabled for downstream-routers. If a default route is present the router advertises itself as default router on the interface.

+

+

OpenWrt is also able to detect when there is no prefix available from an upstream interface and can switch into relaying mode automatically to extend the upstream interface configuration onto its downstream interfaces. This is useful for putting an OpenWrt behind another IPv6-router which doesn'​t offer prefixes via DHCPv6-PD.

+

+

:!: The package ''​odhcpd''​ must be installed to provide these services.

+

+

Example configuration section for SLAAC + DHCPv6 server mode (/​etc/​config/​dhcp). This is suitable also for a typical 6in4 tunnel configuration,​ where you specify the fixed LAN prefix in the tunnel interface config.

+

<​code>​

+

config dhcp lan

+

option dhcpv6 server

+

option ra server

+

</​code>​

+

+

Example configuration section for SLAAC alone (/​etc/​config/​dhcp)

+

<​code>​

+

config dhcp lan

+

option dhcpv6 disabled

+

option ra server

+

</​code>​

+

+

Example configuration section for relaying (/​etc/​config/​dhcp)

+

<​code>​

+

config dhcp wan6

+

option dhcpv6 relay

+

option ra relay

+

option ndp relay

+

option master 1

+

+

config dhcp lan

+

option dhcpv6 relay

+

option ra relay

+

option ndp relay

+

</​code>​

+

+

===== Routing Mangement =====

+

OpenWrt uses a source-address and source-interface based policy-routing system. This is required to correctly handle different uplink interfaces.

+

Each delegated prefix is added with an unreachable route to avoid IPv6-routing loops.

+

+

To determine the current status of routes you can consult the information provided by ''​ifstatus''​.

+

+

Example (ifstatus wan6):

+

<​code>​

+

...

+

"​ipv6-address":​ [

+

{

+

"​address":​ "​2001:​db80::​a00:​27ff:​fe67:​cd9c",​

+

"​mask":​ 64,

+

"​preferred":​ 1681,

+

"​valid":​ 7081

+

}

+

],

+

"​ipv6-prefix":​ [

+

{

+

"​address":​ "​2001:​db80:​0:​100::",​

+

"​mask":​ 56,

+

"​preferred":​ 86282,

+

"​valid":​ 86282,

+

"​class":​ "​wan6",​

+

"​assigned":​ {

+

"​lan":​ {

+

"​address":​ "​2001:​db80:​0:​110::",​

+

"​mask":​ 60

+

}

+

}

+

}

+

],

+

"​route":​ [

+

{

+

"​target":​ "​2001:​db80::",​

+

"​mask":​ 48,

+

"​nexthop":​ "​fe80::​800:​27ff:​fe00:​0",​

+

"​metric":​ 1024,

+

"​valid":​ 7081

+

},

+

{

+

"​target":​ "::",​

+

"​mask":​ 0,

+

"​nexthop":​ "​fe80::​800:​27ff:​fe00:​0",​

+

"​metric":​ 1024,

+

"​valid":​ 7081

+

}

+

],

+

...

+

</​code>​

+

Interpretation:​

+

* On the interface 2 routes are provided: 2001:​db80::/​48 and a default-route via the router fe80::​800:​27ff:​fe00:​0.

+

* These routes can only be used by locally generated traffic and traffic with a suitable source-address,​ that is either one of the local addresses or an address out of the delegated prefix.

+

+

:!: OpenWrt adds IPv6-routes (like default routes) to specific routing-tables and not the main-table thus they may not be seen by default. You can use the command ''​ip -6 rule''​ to list all current routing policies.

+

+

===== Migration from Attitude Adjustment 12.09 and earlier =====

+

+

This section gives advice about needed changes if your network configuration file dates back to AA12.09, Backfire 10.03 or earlier.

+

+

**IPv6 Forwarding**

+

+

To ensure that IPv6 forwarding is working correctly, please check that your /​etc/​sysctl.conf contains the following entries:

+

<​code>​

+

net.ipv6.conf.default.forwarding=1

+

net.ipv6.conf.all.forwarding=1

+

</​code>​

+

+

**Downstream configuration for LAN-Interfaces**

+

+

It is discouraged to use **ip6addr** to set addresses / prefixes on downstream interfaces (e.g. lan) because it can easily lead to conflicts with the local address delegation.

+

Also it might lead to unexpected result or brokenness due to the source-based policy-routing used in the IPv6-stack.

+

+

Please use the new options **ip6assign** and **ip6hint** instead.

+

+

Example: If your delegated prefix is 2001:​db80:​1234::/​48 and you want your lan interface to have the subprefix 2001:​db80:​1234:​5678::/​64 you could use the following configuration:​

+

<​code>​

+

config '​interface'​ '​lan'​

+

​option '​proto'​ '​static'​

+

​option '​ip6assign'​ '​64'​

+

​option '​ip6hint'​ '​5678'​

+

...

+

</​code>​

+

+

If the router can ping6 the internet, but lan machines get "​Destination unreachable:​ Unknown code 5" or "​Source address failed ingress/​egress policy"​ then the **ip6assign** option is missing on your lan interface.

+

+

**Router Advertisement & DHCPv6**

+

+

The use of radvd is now unnecessary. The service odhcpd is used for Router Advertisement and DHCPv6 and picks up addresses from interfaces automatically.

+

+

:!: 6relayd was shortly used after radvd, but before odhcpd superseeded it.

+

+

**Upstream Configuration for WAN Interfaces**

+

+

* Generic Changes: Router Advertisements are not accepted by default anymore and thus OpenWrt will not configure itself with default routes and / or addresses. Also the interface-options **accept_ra** and **send_rs** have been removed. You should add an interface with proto dhcpv6 - also for receiving RAs only - as described in [[#​native.ipv6.connection|Native IPv6 Connection]].

+

+

* 6in4 tunnel and Static IPv6 connection: It is now necessary to add your routed-prefix (e.g. routed /48 of your tunnel) as option **ip6prefix** to the tunnel/​static-interface in /​etc/​config/​network. If you omit this option your lan-clients will not be able to reach the internet. Example:

* 6rd and 6to4 tunnel : Your public address prefix is now automatically calculated and sent to the network subsystem (netifd). You should follow the advice for [[#​downstream.configuration.for.lan-interfaces1|lan-interface configuration]].